Template for a good false-positive report, formatted with Markdown:
versions used (SonarQube, Scanner, language analyzer)
SonarQube ID information
Server ID: 69FF93D0-AXobHJEaf-WIDwV27NKO
Version: 8.9.1.44547
Date: 2021-09-09
C++
Qube correctly identified the TLS < 1.2, but reopened the issue after fixed. The fixed and reopened sample, below.
minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).
Wrap code around triple quote ``` for proper formatting
curl_easy_setopt(curlHandle, CURLOPT_URL, url_.c_str());
curl_easy_setopt(curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_easy_setopt(curlHandle, CURLOPT_CAINFO, "/etc/openvpn/cacert.pem");
curl_easy_setopt(curlHandle, CURLOPT_NOSIGNAL, 1l); // don't use signals
curl_easy_setopt(curlHandle, CURLOPT_FAILONERROR, 1l); // fail on any code >= 400
curl_easy_setopt(curlHandle, CURLOPT_TIMEOUT, 900l); // 15 minute timeout
curl_easy_setopt(curlHandle, CURLOPT_CONNECTTIMEOUT, 30l); // 30 second connection timeout
curl_easy_setopt(curlHandle, CURLOPT_MAXCONNECTS, 1l); // only allow a single connection
curl_easy_setopt(curlHandle, CURLOPT_NOPROGRESS, 0l);
Hi, @glennclapp and welcome!
I am one of the developers working on the implementation of the rule detecting weak SSL and TLS versions used in C sources.
I’m afraid I need more information to diagnose this issue. I tried to reproduce the issue, and I get no reports for the line curl_easy_setopt(curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);.
Here is how to generate a reproducer containing all the relevant information: the source files, compiler flags, environment variables:
Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer= “Full path to the .cpp file that has or include the file that has the false-positive”
Re-running the scanner should generate a file named sonar-cfamily.reproducer in the project folder.
Please share this file. If you think this file contains sensitive information you can send it privately.